Iphone

A Text Message Can Crash An iPhone and Force It To Reboot 96

Posted by Soulskill
from the easy-way-to-get-your-kids-to-put-the-phone-down dept.
DavidGilbert99 writes with news that a bug in iOS has made it so anyone can crash an iPhone by simply sending it a text message containing certain characters. "When the text message is displayed by a banner alert or notification on the lockscreen, the system attempts to abbreviate the text with an ellipsis. If the ellipsis is placed in the middle of a set of non-Latin script characters, including Arabic, Marathi and Chinese, it causes the system to crash and the phone to reboot." The text string is specific enough that it's unlikely to happen by accident, and users can disable text notification banners to protect themselves from being affected. However, if a user receives the crash-inducing text, they won't be able to access the Messages app without causing another crash. A similar bug crashed applications in OS X a few years ago.
Security

Insurer Won't Pay Out For Security Breach Because of Lax Security 77

Posted by Soulskill
from the ounce-of-prevention-is-worth-a-ton-of-green dept.
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.
Security

IRS: Personal Info of 100,000 Taxpayers Accessed Illegally 75

Posted by Soulskill
from the disincentive-to-pay-your-taxes dept.
An anonymous reader writes: The Associated Press reports that an online service provided by the IRS was used to gather the personal information of more than 100,000 taxpayers. Criminals were able to scrape the "Get Transcript" system to acquire tax return information. They already had a significant amount of information about these taxpayers, though — the system required a security check that included knowledge of a person's social security number, date of birth, and filing status. The system has been shut down while the IRS investigates and implements better security, and they're notifying the taxpayers whose information was accessed.
Social Networks

Linux/Moose Worm Targets Routers, Modems, and Embedded Systems 103

Posted by Soulskill
from the moose-is-the-penguin's-natural-enemy dept.
An anonymous reader writes: Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It's also capable of hijacking DNS settings. The people controlling the system use it for selling "follows," "likes," and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+. Affected router manufacturers include: Actiontec, Hik Vision, Netgear, Synology, TP-Link, ZyXEL, and Zhone. The researchers found that even some medical devices were vulnerable to the worm, though it wasn't designed specifically to work with them.
Android

Hyundai Now Offers an Android Car, Even For Current Owners 79

Posted by timothy
from the one-way-to-spin-it dept.
An anonymous reader writes: Looking more like a computer company than a car company, Hyundai ships Android Auto on 2015 Sonatas and unlocks it for owners of the 2015 Sonata with a software update. Says the article: To enable Android Auto, existing 2015 Hyundai Sonata owners outfitted with the Navigation feature can download an update to a USB drive, plug it into the car's USB port, and rewrite the software installed in the factory on the head-unit. When the smartphone is plugged into the head-unit with a USB cable, the user is prompted to download Android Auto along with mobile apps. Android Auto requires Android 5.0 or above. That sounds like a good description of how I'd like my car's head unit to work -- and for that matter, I'd like access to all of the software.
Security

Exploit Kit Delivers Pharming Attacks Against SOHO Routers 26

Posted by timothy
from the north-of-houston-you're-ok dept.
msm1267 writes: For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an exploit kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure. The risk to users is substantial, he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.
Spam

Attackers Use Email Spam To Infect Point-of-Sale Terminals 81

Posted by samzenpus
from the protect-ya-neck dept.
jfruh writes: Point-of-sale software has meant that in many cases where once you'd have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities, and when you run software on it that processes credit card payments, they become a tempting target for hackers. One of the latest attacks on PoS software comes in the form of malicious Word macros downloaded from spam emails.
Privacy

Sniffing and Tracking Wearable Tech and Smartphones 52

Posted by samzenpus
from the all-the-better-to-follow-you-with dept.
An anonymous reader writes: Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott says. “Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.” The researchers have even developed an Android app that scans, detects and logs wearable devices.
Security

Researchers Devise Voting System That Seems Secure, But Is Hard To Use 102

Posted by Soulskill
from the find-the-candidate-and-hand-them-your-vote dept.
An anonymous reader writes: According to an article in ReadWrite, a team of British and American researchers have developed a hacker resistant process for online voting called Du-Vote. It uses a credit card-sized device that helps to divide the security-sensitive tasks between your computer and the device in a way that neither your computer nor the device learns how you voted (PDF). If a hacker managed to control the computer and the Du-Vote token, he still can't change the votes without being detected.
Security

Hacker Warns Starbucks of Security Flaw, Gets Accused of Fraud 107

Posted by Soulskill
from the biting-the-hand-that-doesn't-steal-from-you dept.
Andy Smith writes: Here's another company that just doesn't get security research. White hat hacker Egor Homakov found a security flaw in Starbucks gift cards which allowed people to steal money from the company. He reported the flaw to Starbucks, but rather than thank him, the company accused him of fraud and said he had been acting maliciously.
Security

Adult Dating Site Hack Reveals Users' Sexual Preference, Extramarital Affairs 173

Posted by Soulskill
from the another-day,-another-breach dept.
An anonymous reader notes this report from Channel 4 News that Adult FriendFinder, one of the largest dating sites in the world, has suffered a database breach that revealed personal information for 3.9 million of its users. The leaked data includes email addresses, IP addresses, birth dates, postal codes, sexual preferences, and information indicating which of them are seeking extramarital affairs. There even seems to be data from accounts that were supposedly deleted. Channel 4 saw evidence that there were plans for a spam campaign against these users, and others are worried that a blackmail campaign will follow. "Where you've got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails," said cybercrime specialist Charlie McMurdy.
Google

NSA Planned To Hijack Google App Store To Hack Smartphones 94

Posted by samzenpus
from the all-the-better-to-see-you-with dept.
Advocatus Diaboli writes: A newly released top secret document reveals that the NSA planned to hijack Google and Samsung app stores to plant spying software on smartphones. The report on the surveillance project, dubbed "IRRITANT HORN," shows the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia, were looking at ways to hack smartphones and spy on users. According to The Intercept: "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012."
Security

Netgear and ZyXEL Confirm NetUSB Flaw, Are Working On Fixes 34

Posted by samzenpus
from the protect-ya-neck dept.
itwbennett writes: In follow-up to a story that appeared on Slashdot yesterday about a critical vulnerability in the NetUSB service, networking device manufacturers ZyXEL Communications and Netgear have confirmed that some of their routers are affected and said they are working on fixes. ZyXEL will begin issuing firmware updates in June, while Netgear plans to start releasing patches in the third quarter of the year.
United States

What Was the Effect of Rand Paul's 10-Hour "Filibuster"? 376

Posted by samzenpus
from the lets-keep-talking dept.
An anonymous reader writes: Sen. Rand Paul held up a vote on the Fast Track Authority for an eleven hour dissertation on the flaws of: the Patriot Act, the replacement the USA Freedom Act, bulk data collection including credit card purchases, the DEA and IRS's use of NSA intel. for "parallel construction", warrant-less GPS bugs on vehicles, as well as the important distinction of a general warrant versus a specific one. "There is a general veil of suspicion that is placed on every American now. Every American is somehow said to be under suspicion because we are collecting the records of every American," Paul said. The questions is what did the "filibuster" really accomplish? The speeches caused a delay in Senate business but it's unclear what larger effect, if any, that will have.
Businesses

Security Researchers Wary of Wassenaar Rules 34

Posted by samzenpus
from the rules-of-the-game dept.
msm1267 writes: The Commerce Department's Bureau of Industry and Security today made public its proposal to implement the controversial Wassenaar Arrangement, and computer security specialists are wary of its language and vagaries. For starters, its definition of "intrusion software" that originally was meant to stem the effect of spying software such as FinFisher and Hacking Team, has also apparently snared many penetration testing tools. Also, despite the Commerce Department's insistence that vulnerability research does not fall under Wassenaar, researchers say that's up for interpretation.
Communications

Academics Build a New Tor Client Designed To Beat the NSA 62

Posted by timothy
from the non-spy-vs-spy dept.
An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.
Security

Stanford Researcher Finds Little To Love In Would-Be Hacker Marketplace 73

Posted by timothy
from the it-is-what-it-is dept.
An anonymous reader writes: What if there were an Uber for hackers? Well, there is. It's called Hacker's List, and it made the front page of the New York Times this year. Anyone can post or bid on an 'ethical' hacking project. According to new Stanford research, however, the site is a wreck. 'Most requests are unsophisticated and unlawful, very few deals are actually struck, and most completed projects appear to be criminal.' And it gets worse. 'Many users on Hacker's List are trivially identifiable,' with an email address or Facebook account. The research dataset includes thousands of individuals soliciting federal crimes.
Privacy

CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach 82

Posted by timothy
from the camel-cased-in-triplicate dept.
An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company's customers: "The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a 'sophisticated cyberattack' and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers. All affected members will receive letters of apology, offering two years of free credit monitoring and identity threat protection as compensation, CareFirst said in a statement posted on its website." Free credit monitoring is pretty weak sauce for anyone who actually ends up faced with identity fraud.
Government

US Proposes Tighter Export Rules For Computer Security Tools 126

Posted by timothy
from the we'd-like-to-inspect-that-package dept.
itwbennett writes: The U.S. Commerce Department has proposed tighter export rules for computer security tools and could prohibit the export of penetration testing tools without a license. The proposal would modify rules added to the Wassenaar Arrangement in 2013 that limit the export of technologies related to intrusion and traffic inspection. The definition of intrusion software would also encompass 'proprietary research on the vulnerabilities and exploitation of computers and network-capable devices,' the proposal said.
Bug

Linux 4.0 Has a File-System Corruption Problem, RAID Users Warned 225

Posted by timothy
from the don't-store-the-ark-there dept.
An anonymous reader writes: For the past few days kernel developers and Linux users have been investigating an EXT4 file-system corruption issue affecting the latest stable kernel series (Linux 4.0) and the current development code (Linux 4.1). It turns out that Linux users running the EXT4 file-system on a RAID0 configuration can easily destroy their file-system with this newest "stable" kernel. The cause and fix have materialized but it hasn't yet worked its way out into the mainline kernel, thus users should be warned before quickly upgrading to the new kernel on systems with EXT4 and RAID0.